Security Information / 2012 / Security Information -- DSA-2480-4 request-tracker3.8

Debian Security Advisory

DSA-2480-4 request-tracker3.8 -- several vulnerabilities

Date Reported:

15 Sep 2012

Affected Packages:

request-tracker3.8

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 674924, Bug 675369.
In Mitre's CVE dictionary: CVE-2011-2082, CVE-2011-2083, CVE-2011-2084, CVE-2011-2085, CVE-2011-4458, CVE-2011-4459, CVE-2011-4460.

More information:

Several vulnerabilities were discovered in Request Tracker, an issue tracking system:

• CVE-2011-2082

  The vulnerable-passwords scripts introduced for CVE-2011-0009 failed to correct the password hashes of disabled users.

• CVE-2011-2083

  Several cross-site scripting issues have been discovered.

• CVE-2011-2084

  Password hashes could be disclosed by privileged users.

• CVE-2011-2085

  Several cross-site request forgery vulnerabilities have been found. If this update breaks your setup, you can restore the old behaviour by setting $RestrictReferrer to 0.

• CVE-2011-4458

  The code to support variable envelope return paths allowed the execution of arbitrary code.

• CVE-2011-4459

  Disabled groups were not fully accounted as disabled.

• CVE-2011-4460

  SQL injection vulnerability, only exploitable by privileged users.

Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The restart mechanism is not recommended, especially when using mod_perl.

For the stable distribution (squeeze), these problems have been fixed in version 3.8.8-7+squeeze5.

For the unstable distribution (sid), these problems have been fixed in version 4.0.5-3.

We recommend that you upgrade your request-tracker3.8 packages.